Overview
Wave Connect takes security seriously. We implement industry-standard security practices across infrastructure, application development, access management, and employee operations to protect your data and your team’s information. For more details, visit security.wavecnct.com.Compliance & Certifications
| Certification | Details |
|---|---|
| SOC 2 Type II | Certified. Report available under NDA — contact security@wavecnct.com |
| CSA STAR Level 1 | Listed in the Cloud Security Alliance STAR registry |
| GDPR | Fully compliant. Data Processing Agreement available for enterprise customers |
| EU AI Act | Compliant with applicable requirements |
- OWASP Top 10
- CSA CAIQ
- CIS benchmarks
- NIST-aligned practices
Infrastructure
Wave’s infrastructure is built on managed cloud services, operating under a shared responsibility model with our providers.| Provider | Role |
|---|---|
| Google Cloud Platform | Core application infrastructure, compute, and networking |
| Vercel | Frontend delivery and edge network |
| PlanetScale | Database (MySQL-compatible, globally distributed) |
| Cloud Storage | File and asset storage |
Data Residency
- Customer application data is stored and processed in the United States
- Data is processed only in approved regions
- Enterprise customers can inquire about data residency options
Encryption
In transit- TLS 1.3 for all connections
- HTTPS enforced across all endpoints
- HSTS enabled
- AES-256 encryption for all stored data
- Cloud-managed encryption keys via Google Cloud KMS
- Key rotation and access controls enforced through Secret Manager
Identity & Access Management
Authentication options- SAML 2.0 Single Sign-On
- OpenID Connect (OIDC)
- SCIM 2.0 automated provisioning and deprovisioning
- Enforced through your SSO provider when SAML or OIDC is enabled
| Role | Access |
|---|---|
| Owner | Full account access, including billing and plan management |
| Admin | Manage users, templates, contacts, and settings |
| Manager | Manage team leads and distribute templates, no company-wide settings |
| Member | Use their assigned digital business card and view their own contacts |
| Viewer | Read-only access |
- All internal access follows the principle of least privilege
- Quarterly access reviews conducted internally
- Automated deprovisioning through SCIM when users leave
Password Security
- Minimum password length and complexity requirements enforced
- Account lockout after repeated failed login attempts
- Secure password reset via verified email
- Session timeout enforced on inactivity
Application Security
Secure development lifecycle- Threat modeling as part of feature design
- Mandatory peer code review and pull request approval before merging
- Security requirements reviewed at each release
- Dedicated release approval process
- CodeQL static analysis on all code changes
- Automated dependency vulnerability scanning
- Secret scanning to prevent credential leaks in code
- OWASP Top 10 guidelines followed
- Input validation and output encoding enforced
- Dependency updates applied on a regular cadence
Vulnerability Management
Scanning- Continuous automated dependency scanning
- Infrastructure vulnerability scanning
| Severity | Target remediation |
|---|---|
| Critical | 24 hours |
| High | 7 days |
| Medium | 30 days |
| Low | 90 days |
- Independent third-party penetration test conducted annually
- Findings are triaged and remediated according to severity timelines
Monitoring & Logging
Logs collected include:- Authentication events (login, logout, failed attempts)
- Admin actions (user changes, settings updates)
- API activity
- Security events
- 24/7 cloud infrastructure monitoring via Google Cloud Monitoring
- Automated alerting on anomalies and security events
- Suspicious login detection
Incident Response
Wave maintains a formal Incident Response Plan covering:- Severity classification: Critical, High, Medium, Low
- Investigation process: containment, analysis, and evidence preservation
- Root cause analysis: post-incident review for all significant events
- Customer notification: affected customers are notified promptly in accordance with regulatory requirements
- Regulatory notification: GDPR breach notifications within 72 hours where applicable
- Post-mortems: documented and reviewed internally after major incidents
Business Continuity & Backups
Recovery objectives- RTO (Recovery Time Objective): 4 hours
- RPO (Recovery Point Objective): 1 hour
- Formal BCP in place and tested semi-annually
- Disaster Recovery Plan tested on a regular basis
- Daily automated backups
- Backups encrypted at rest
- Restore testing performed regularly
- Backup retention aligned with data classification policies
Availability
- High availability architecture with automatic failover
- Status page available at status.wavecnct.com
- SLA available for Enterprise customers
Network Security
- Google Cloud Firewall and Cloud Armor
- DDoS mitigation at the network and application layer
- Rate limiting on all API endpoints
- OWASP-aligned protections (injection, XSS, CSRF)
- Intrusion detection and prevention systems (IDS/IPS)
Endpoint Security
All employee devices are subject to:- Full disk encryption
- Company-managed device policy
- Antivirus and endpoint protection
- Automatic OS and security updates
- Screen lock enforcement
- Minimum device requirements for remote access
Physical Security
Wave is a remote-first company. There are no on-premises data centers. Physical infrastructure security is managed by Google Cloud, whose data centers are independently certified to ISO 27001, SOC 2, and other standards. Employees follow secure home office requirements, and devices are securely disposed of at end of life.Employee Security
- Background checks conducted for all employees
- Security awareness training at onboarding
- Quarterly security and privacy training
- Acceptable Use Policy signed by all employees
- Confidentiality agreements in place
Vendor Security
Wave maintains a Vendor Risk Management Program. Third-party providers are reviewed before onboarding and assessed based on their security posture (SOC 2 reports, security questionnaires, and vendor assessments). Key sub-processors| Vendor | Purpose |
|---|---|
| Google Cloud | Infrastructure and compute |
| Vercel | Frontend and edge delivery |
| PlanetScale | Database |
| Twilio | SMS communications |
| Stripe | Payment processing |
| Shopify | E-commerce |
| Zendesk | Customer support |
| Microsoft | Productivity and integrations |
| MaxMind | IP geolocation |
AI Security
Wave uses AI in the following features:- Universal Badge Scanner: OCR to extract contact information from business cards and event badges
- Contact enrichment: Filling in missing profile fields from public sources
- Content moderation: Detecting policy-violating content on profiles
- Customer data is not used to train AI models
- AI features can be disabled where applicable
- AI providers are disclosed in our sub-processor list
Data Classification
| Classification | Description |
|---|---|
| Public | Marketing content, public-facing documentation |
| Internal | Operational data, internal communications |
| Confidential | Customer data, business data, security configurations |
| Restricted | Authentication credentials, encryption keys, audit logs |
Data Protection
- Logical tenant isolation: each organization’s data is separated at the application and database level
- Role-based access control prevents cross-tenant data access
- Audit logging for all sensitive operations
- Data minimization principles applied at collection
Enterprise Security Features
Single Sign-On (SAML)
Authenticate users through your identity provider via SAML 2.0 or OIDC.
Directory Sync (SCIM)
Automate user provisioning, deprovisioning, and team mapping.
Custom Domains
Use your own domain for Wave profiles and sharing links.